Penetration Testing mailing list archives

RE: Device fingerprinting

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Tue, 20 Aug 2002 10:23:18 +0100

If I had to guess, I would say BorderWare Firewall Server
(http://www.borderware.com/products/fw/fwserver.html). It has proxy support
for the protocols that use the open ports you found from the Internet and it
uses port 442 for management over HTTPS.

Cheers

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/



Hi list,

Recently I came against a weird network infrastructure. Can you help me
identify the types of devices used?

I have this:

[Internet]
----------------------
[An unknown device]
----------------------------------------
[Box 1-Webserver] [Box 2-Mailserver]

I was able to compromise the mailserver using web exploits.
Portscans of each devices from either the internet or the
mailserver yields
different results as shown above.

------------------
From the internet:
------------------
Unknown device:
     Open ports: 21,23,25,53,80,109,110,442
     Closed ports: 49400,54320,61439,61440,61441,65301
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: FreeBSD 2.2.1 - 4.1, FreeBSD 4.1.1 - 4.3 (X86)

Webserver:
     Open ports: 21,80,3306
     Closed ports: 49400,54320,61439,61440,61441,65401
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: FreeBSD 2.2.1 - 4.1, FreeBSD 4.1.1 - 4.3 (X86)

Mailserver:
     Open ports: 80,110
     Closed ports: None
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: spcheck reports SP6 b1381

[...]


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Device fingerprinting TB (Aug 19)
- RE: Device fingerprinting Fernando Cardoso (Aug 20)
- Looks like a Borderware firewall (was Re: Device fingerprinting) Javier Fernández-Sanguino Peña (Aug 21)
- <Possible follow-ups>
- Re: Device fingerprinting The Blueberry (Aug 20)